Critical severity9.8NVD Advisory· Published Sep 26, 2016· Updated Jun 17, 2026
CVE-2016-4972
CVE-2016-4972
Description
OpenStack Murano before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), Murano-dashboard before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), and python-muranoclient before 0.7.3 (liberty) and 0.8.x before 0.8.5 (mitaka) improperly use loaders inherited from yaml.Loader when parsing MuranoPL and UI files, which allows remote attackers to create arbitrary Python objects and execute arbitrary code via crafted extended YAML tags in UI definitions in packages.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
muranoPyPI | < 1.0.3 | 1.0.3 |
murano-dashboardPyPI | < 1.0.3 | 1.0.3 |
murano-dashboardPyPI | >= 2.0.0, < 2.0.1 | 2.0.1 |
python-muranoclientPyPI | < 0.7.3 | 0.7.3 |
python-muranoclientPyPI | >= 0.8.0, < 0.8.5 | 0.8.5 |
Affected products
7- ghsa-coords3 versions
< 1.0.3+ 2 more
- (no CPE)range: < 1.0.3
- (no CPE)range: < 1.0.3
- (no CPE)range: < 0.7.3
Patches
Vulnerability mechanics
References
9- www.openwall.com/lists/oss-security/2016/06/23/8nvdPatchThird Party AdvisoryWEB
- bugs.launchpad.net/murano/+bug/1586079nvdPatchVendor AdvisoryWEB
- bugs.launchpad.net/python-muranoclient/+bug/1586078nvdPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-87r7-q54j-f9qgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-4972ghsaADVISORY
- github.com/openstack/murano/blob/c898a310afbc27f12190446ef75d8b0bd12115eb/releasenotes/notes/safeloader-cve-2016-4972-19035a2a091ec30a.yamlghsaWEB
- github.com/openstack/murano/blob/c898a310afbc27f12190446ef75d8b0bd12115eb/releasenotes/source/locale/en_GB/LC_MESSAGES/releasenotes.poghsaWEB
- github.com/openstack/murano/commit/28de8c36c9dbe4aaf4d062e6fb6099afd437f49bghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/python-muranoclient/PYSEC-2016-22.yamlghsaWEB
News mentions
0No linked articles in our index yet.